java.security.cert.PKIXRevocationChecker Java Examples

private static void runTest(CertificateFactory cf,
        List<X509Certificate> certList, TrustAnchor anchor)
        throws Exception {
    CertPath path = cf.generateCertPath(certList);
    CertPathValidator validator = CertPathValidator.getInstance("PKIX");

    System.out.println(anchor);

    // Attach the OCSP responses to a PKIXParameters object
    PKIXRevocationChecker pkrev =
            (PKIXRevocationChecker)validator.getRevocationChecker();
    Map<X509Certificate, byte[]> responseMap = new HashMap<>();
    responseMap.put(certList.get(0), DECODER.decode(EE_OCSP_RESP));
    responseMap.put(certList.get(1), DECODER.decode(INT_CA_OCSP_RESP));
    pkrev.setOcspResponses(responseMap);
    PKIXParameters params =
            new PKIXParameters(Collections.singleton(anchor));
    params.addCertPathChecker(pkrev);
    params.setDate(EVAL_DATE);

    validator.validate(path, params);
}
 

private TrustManagerFactory createTrustManagerFactory(@Nullable final String trustedCertificates)
        throws NoSuchAlgorithmException, CertificateException, KeyStoreException,
        InvalidAlgorithmParameterException {
    final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(PKIX);
    if (trustedCertificates != null) {
        final KeyStore keystore = keyStoreFactory.newKeystore();
        final Collection<? extends Certificate> caCerts;
        final byte[] caCertsPem = trustedCertificates.getBytes(StandardCharsets.US_ASCII);
        caCerts = X509_CERTIFICATE_FACTORY.generateCertificates(new ByteArrayInputStream(caCertsPem));
        long cnt = 0;
        for (final Certificate caCert : caCerts) {
            keystore.setCertificateEntry("ca-" + cnt++, caCert);
        }
        trustManagerFactory.init(keystore);
    } else {
        // standard CAs; add revocation check
        final PKIXRevocationChecker revocationChecker =
                (PKIXRevocationChecker) CertPathBuilder.getInstance(PKIX).getRevocationChecker();
        final PKIXBuilderParameters parameters =
                new PKIXBuilderParameters(DEFAULT_CA_KEYSTORE, new X509CertSelector());
        parameters.addCertPathChecker(revocationChecker);
        trustManagerFactory.init(new CertPathTrustManagerParameters(parameters));
    }
    return trustManagerFactory;
}
 

/**
 * Constructor
 *
 * @param additionalTrustRoots trusted root certificates
 * @throws IOException
 * @throws CertificateException
 * @throws NoSuchAlgorithmException
 */
public ValidatePathWithParams(String[] additionalTrustRoots)
        throws IOException, CertificateException, NoSuchAlgorithmException {

    cf = CertificateFactory.getInstance("X509");
    certPathValidator = CertPathValidator.getInstance("PKIX");
    certPathChecker
            = (PKIXRevocationChecker) certPathValidator.getRevocationChecker();

    if ((additionalTrustRoots == null) || (additionalTrustRoots[0] == null)) {
        trustedRootCerts = null;
    } else {
        trustedRootCerts = additionalTrustRoots.clone();
    }
}
 

public static boolean pkixvalidate(CertPath cp, Set<TrustAnchor> trustAnchorSet,
        boolean isRevocationChecked, boolean isPolicyQualifiersRejected) {
    try {
        CertPathValidator cpv = CertPathValidator.getInstance("PKIX");  //TODO use BCFIPS when "Support for PKIXRevocationChecker
                                                                        //in the CertPath implementation" is added

        PKIXParameters pkix = new PKIXParameters(trustAnchorSet);

        if(isRevocationChecked){
            PKIXRevocationChecker prc = (PKIXRevocationChecker) cpv.getRevocationChecker();
            prc.setOptions(EnumSet.of(PKIXRevocationChecker.Option.PREFER_CRLS, PKIXRevocationChecker.Option.NO_FALLBACK));
            pkix.addCertPathChecker(prc);
        }
        else{
            pkix.setRevocationEnabled(false);
        }

        pkix.setPolicyQualifiersRejected(isPolicyQualifiersRejected);
        pkix.setDate(null);
        CertPathValidatorResult cpvr = cpv.validate(cp, pkix);
        if (cpvr != null) {
            System.out.println("Certificate validated");
            return true;
        } else {
            System.out.println("Certificate not valid");
            return false;
        }
    } catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException | CertPathValidatorException ex) {
        Logger.getLogger(PKIXChainValidation.class.getName()).log(Level.SEVERE, null, ex);
        return false;
    }
}
 

/**
 * Constructor
 *
 * @param additionalTrustRoots trusted root certificates
 * @throws IOException
 * @throws CertificateException
 * @throws NoSuchAlgorithmException
 */
public ValidatePathWithParams(String[] additionalTrustRoots)
        throws IOException, CertificateException, NoSuchAlgorithmException {

    cf = CertificateFactory.getInstance("X509");
    certPathValidator = CertPathValidator.getInstance("PKIX");
    certPathChecker
            = (PKIXRevocationChecker) certPathValidator.getRevocationChecker();

    if ((additionalTrustRoots == null) || (additionalTrustRoots[0] == null)) {
        trustedRootCerts = null;
    } else {
        trustedRootCerts = additionalTrustRoots.clone();
    }
}
 

/**
 * Constructor
 *
 * @param additionalTrustRoots trusted root certificates
 * @throws IOException
 * @throws CertificateException
 * @throws NoSuchAlgorithmException
 */
public ValidatePathWithParams(String[] additionalTrustRoots)
        throws IOException, CertificateException, NoSuchAlgorithmException {

    cf = CertificateFactory.getInstance("X509");
    certPathValidator = CertPathValidator.getInstance("PKIX");
    certPathChecker
            = (PKIXRevocationChecker) certPathValidator.getRevocationChecker();

    if ((additionalTrustRoots == null) || (additionalTrustRoots[0] == null)) {
        trustedRootCerts = null;
    } else {
        trustedRootCerts = additionalTrustRoots.clone();
    }
}
 

/**
 * Constructor
 *
 * @param additionalTrustRoots trusted root certificates
 * @throws IOException
 * @throws CertificateException
 * @throws NoSuchAlgorithmException
 */
public ValidatePathWithParams(String[] additionalTrustRoots)
        throws IOException, CertificateException, NoSuchAlgorithmException {

    cf = CertificateFactory.getInstance("X509");
    certPathValidator = CertPathValidator.getInstance("PKIX");
    certPathChecker
            = (PKIXRevocationChecker) certPathValidator.getRevocationChecker();

    if ((additionalTrustRoots == null) || (additionalTrustRoots[0] == null)) {
        trustedRootCerts = null;
    } else {
        trustedRootCerts = additionalTrustRoots.clone();
    }
}
 

/**
 * Validate certificate path
 * 
 * @throws NoSuchAlgorithmException
 * @throws KeyStoreException
 * @throws InvalidAlgorithmParameterException
 * @throws CertPathValidatorException
 * @throws CertPathBuilderException
 * @throws CertificateException
 */
private void validatePath(X509Certificate[] chain)
        throws NoSuchAlgorithmException, KeyStoreException, InvalidAlgorithmParameterException,
        CertPathValidatorException, CertPathBuilderException, CertificateException {
    // PKIX algorithm is defined in rfc3280
    CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
    CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");

    X509CertSelector certSelector = new X509CertSelector();

    // set last certificate (often root CA) from chain for CertSelector so trust store must contain it
    certSelector.setCertificate(chain[chain.length - 1]);

    // checks against time validity aren't done here as are already done in checkDateValidity (X509Certificate[]
    // chain)
    certSelector.setCertificateValid(null);
    // create parameters using trustStore as source of Trust Anchors and using X509CertSelector
    PKIXBuilderParameters parameters = new PKIXBuilderParameters(allStore, certSelector);

    // will use PKIXRevocationChecker (or nothing if revocation mechanisms are
    // disabled) instead of the default revocation checker
    parameters.setRevocationEnabled(false);   

    // if revoked certificates aren't accepted, but no revocation checks then only
    // certificates from blacklist will be rejected
    if (acceptRevoked == false) {
        
        // OCSP checking is done according to Java PKI Programmer's Guide, PKIXRevocationChecker was added in Java 8:
        // https://docs.oracle.com/javase/8/docs/technotes/guides/security/certpath/CertPathProgGuide.html#PKIXRevocationChecker
        PKIXRevocationChecker checker = (PKIXRevocationChecker) certPathBuilder.getRevocationChecker();

        EnumSet<PKIXRevocationChecker.Option> checkerOptions = EnumSet.noneOf(PKIXRevocationChecker.Option.class);
        // if soft fail isn't enabled then OCSP or CRL must pass validation, in case
        // when any of them cannot be validated verification will fail, if soft fail
        // is enabled then in case of network issues revocation checking is omitted
        if (allowSoftFail) {
            checkerOptions.add(PKIXRevocationChecker.Option.SOFT_FAIL);
        }
        // check OCSP, CRL serve as backup
        if (checkOCSP && checkCRL) {
            checker.setOptions(checkerOptions);
            parameters.addCertPathChecker(checker);
        } else if (!checkOCSP && checkCRL) {
            // check only CRL, if CRL fail then there is no fallback to OCSP
            checkerOptions.add(PKIXRevocationChecker.Option.PREFER_CRLS);
            checkerOptions.add(PKIXRevocationChecker.Option.NO_FALLBACK);
            checker.setOptions(checkerOptions);
            parameters.addCertPathChecker(checker);
        }
                    
    }
    
    try {
        CertPathBuilderResult pathResult = certPathBuilder.build(parameters);
        CertPath certPath = pathResult.getCertPath();

        PKIXCertPathValidatorResult validationResult = (PKIXCertPathValidatorResult) certPathValidator
                .validate(certPath, parameters);
        X509Certificate trustedCert = validationResult.getTrustAnchor().getTrustedCert();

        if (trustedCert == null) {
            throw new CertificateException("certificate path failed: Trusted CA is NULL");
        }
        // check if all certificates in path have Basic Constraints, only certificate that isn't required to have
        // this extension is last certificate: root CA
        for (int i = 0; i < chain.length - 1; i++) {
            checkBasicConstraints(chain[i]);
        }
    } catch (CertificateRevokedException e) {
        Log.warning("Certificate was revoked", e);
        for (X509Certificate cert : chain) {
            for (X509CRL crl : crlCollection) {
                if (crl.isRevoked(cert)) {
                    try {
                        addToBlackList(cert);
                    } catch (IOException | HeadlessException | InvalidNameException e1) {
                        Log.error("Couldn't move to the blacklist", e1);
                    }
                    break;
                }
            }
        }
        throw new CertificateException("Certificate was revoked");
    }
}
 

/**
 * Update the state with the specified trust anchor.
 *
 * @param anchor the most-trusted CA
 * @param buildParams builder parameters
 */
public void updateState(TrustAnchor anchor, BuilderParams buildParams)
    throws CertificateException, IOException, CertPathValidatorException
{
    trustAnchor = anchor;
    X509Certificate trustedCert = anchor.getTrustedCert();
    if (trustedCert != null) {
        updateState(trustedCert);
    } else {
        X500Principal caName = anchor.getCA();
        updateState(anchor.getCAPublicKey(), caName);
    }

    // The user specified AlgorithmChecker and RevocationChecker may not be
    // able to set the trust anchor until now.
    boolean revCheckerAdded = false;
    for (PKIXCertPathChecker checker : userCheckers) {
        if (checker instanceof AlgorithmChecker) {
            ((AlgorithmChecker)checker).trySetTrustAnchor(anchor);
        } else if (checker instanceof PKIXRevocationChecker) {
            if (revCheckerAdded) {
                throw new CertPathValidatorException(
                    "Only one PKIXRevocationChecker can be specified");
            }
            // if it's our own, initialize it
            if (checker instanceof RevocationChecker) {
                ((RevocationChecker)checker).init(anchor, buildParams);
            }
            ((PKIXRevocationChecker)checker).init(false);
            revCheckerAdded = true;
        }
    }

    // only create a RevocationChecker if revocation is enabled and
    // a PKIXRevocationChecker has not already been added
    if (buildParams.revocationEnabled() && !revCheckerAdded) {
        revChecker = new RevocationChecker(anchor, buildParams);
        revChecker.init(false);
    }

    init = false;
}
 

/**
 * Update the state with the specified trust anchor.
 *
 * @param anchor the most-trusted CA
 * @param buildParams builder parameters
 */
public void updateState(TrustAnchor anchor, BuilderParams buildParams)
    throws CertificateException, IOException, CertPathValidatorException
{
    trustAnchor = anchor;
    X509Certificate trustedCert = anchor.getTrustedCert();
    if (trustedCert != null) {
        updateState(trustedCert);
    } else {
        X500Principal caName = anchor.getCA();
        updateState(anchor.getCAPublicKey(), caName);
    }

    // The user specified AlgorithmChecker and RevocationChecker may not be
    // able to set the trust anchor until now.
    boolean revCheckerAdded = false;
    for (PKIXCertPathChecker checker : userCheckers) {
        if (checker instanceof AlgorithmChecker) {
            ((AlgorithmChecker)checker).trySetTrustAnchor(anchor);
        } else if (checker instanceof PKIXRevocationChecker) {
            if (revCheckerAdded) {
                throw new CertPathValidatorException(
                    "Only one PKIXRevocationChecker can be specified");
            }
            // if it's our own, initialize it
            if (checker instanceof RevocationChecker) {
                ((RevocationChecker)checker).init(anchor, buildParams);
            }
            ((PKIXRevocationChecker)checker).init(false);
            revCheckerAdded = true;
        }
    }

    // only create a RevocationChecker if revocation is enabled and
    // a PKIXRevocationChecker has not already been added
    if (buildParams.revocationEnabled() && !revCheckerAdded) {
        revChecker = new RevocationChecker(anchor, buildParams);
        revChecker.init(false);
    }

    init = false;
}
 

/**
 * Update the state with the specified trust anchor.
 *
 * @param anchor the most-trusted CA
 * @param buildParams builder parameters
 */
public void updateState(TrustAnchor anchor, BuilderParams buildParams)
    throws CertificateException, IOException, CertPathValidatorException
{
    trustAnchor = anchor;
    X509Certificate trustedCert = anchor.getTrustedCert();
    if (trustedCert != null) {
        updateState(trustedCert);
    } else {
        X500Principal caName = anchor.getCA();
        updateState(anchor.getCAPublicKey(), caName);
    }

    // The user specified AlgorithmChecker and RevocationChecker may not be
    // able to set the trust anchor until now.
    boolean revCheckerAdded = false;
    for (PKIXCertPathChecker checker : userCheckers) {
        if (checker instanceof AlgorithmChecker) {
            ((AlgorithmChecker)checker).trySetTrustAnchor(anchor);
        } else if (checker instanceof PKIXRevocationChecker) {
            if (revCheckerAdded) {
                throw new CertPathValidatorException(
                    "Only one PKIXRevocationChecker can be specified");
            }
            // if it's our own, initialize it
            if (checker instanceof RevocationChecker) {
                ((RevocationChecker)checker).init(anchor, buildParams);
            }
            ((PKIXRevocationChecker)checker).init(false);
            revCheckerAdded = true;
        }
    }

    // only create a RevocationChecker if revocation is enabled and
    // a PKIXRevocationChecker has not already been added
    if (buildParams.revocationEnabled() && !revCheckerAdded) {
        revChecker = new RevocationChecker(anchor, buildParams);
        revChecker.init(false);
    }

    init = false;
}
 

/**
 * Enable CRL only revocation check, treat network error as success
 */
public void enableCRLCheck() {
    certPathChecker.setOptions(EnumSet.of(
            PKIXRevocationChecker.Option.PREFER_CRLS,
            PKIXRevocationChecker.Option.NO_FALLBACK));
}
 

/**
 * Enable OCSP only revocation checks, treat network error as success
 */
public void enableOCSPCheck() {
    // OCSP is by default, disable fallback to CRL
    certPathChecker.setOptions(EnumSet.of(
            PKIXRevocationChecker.Option.NO_FALLBACK));
}
 

/**
 * Update the state with the specified trust anchor.
 *
 * @param anchor the most-trusted CA
 * @param buildParams builder parameters
 */
public void updateState(TrustAnchor anchor, BuilderParams buildParams)
    throws CertificateException, IOException, CertPathValidatorException
{
    trustAnchor = anchor;
    X509Certificate trustedCert = anchor.getTrustedCert();
    if (trustedCert != null) {
        updateState(trustedCert);
    } else {
        X500Principal caName = anchor.getCA();
        updateState(anchor.getCAPublicKey(), caName);
    }

    // The user specified AlgorithmChecker and RevocationChecker may not be
    // able to set the trust anchor until now.
    boolean revCheckerAdded = false;
    for (PKIXCertPathChecker checker : userCheckers) {
        if (checker instanceof AlgorithmChecker) {
            ((AlgorithmChecker)checker).trySetTrustAnchor(anchor);
        } else if (checker instanceof PKIXRevocationChecker) {
            if (revCheckerAdded) {
                throw new CertPathValidatorException(
                    "Only one PKIXRevocationChecker can be specified");
            }
            // if it's our own, initialize it
            if (checker instanceof RevocationChecker) {
                ((RevocationChecker)checker).init(anchor, buildParams);
            }
            ((PKIXRevocationChecker)checker).init(false);
            revCheckerAdded = true;
        }
    }

    // only create a RevocationChecker if revocation is enabled and
    // a PKIXRevocationChecker has not already been added
    if (buildParams.revocationEnabled() && !revCheckerAdded) {
        revChecker = new RevocationChecker(anchor, buildParams);
        revChecker.init(false);
    }

    init = false;
}
 

/**
 * Update the state with the specified trust anchor.
 *
 * @param anchor the most-trusted CA
 * @param buildParams builder parameters
 */
public void updateState(TrustAnchor anchor, BuilderParams buildParams)
    throws CertificateException, IOException, CertPathValidatorException
{
    trustAnchor = anchor;
    X509Certificate trustedCert = anchor.getTrustedCert();
    if (trustedCert != null) {
        updateState(trustedCert);
    } else {
        X500Principal caName = anchor.getCA();
        updateState(anchor.getCAPublicKey(), caName);
    }

    // The user specified AlgorithmChecker and RevocationChecker may not be
    // able to set the trust anchor until now.
    boolean revCheckerAdded = false;
    for (PKIXCertPathChecker checker : userCheckers) {
        if (checker instanceof AlgorithmChecker) {
            ((AlgorithmChecker)checker).trySetTrustAnchor(anchor);
        } else if (checker instanceof PKIXRevocationChecker) {
            if (revCheckerAdded) {
                throw new CertPathValidatorException(
                    "Only one PKIXRevocationChecker can be specified");
            }
            // if it's our own, initialize it
            if (checker instanceof RevocationChecker) {
                ((RevocationChecker)checker).init(anchor, buildParams);
            }
            ((PKIXRevocationChecker)checker).init(false);
            revCheckerAdded = true;
        }
    }

    // only create a RevocationChecker if revocation is enabled and
    // a PKIXRevocationChecker has not already been added
    if (buildParams.revocationEnabled() && !revCheckerAdded) {
        revChecker = new RevocationChecker(anchor, buildParams);
        revChecker.init(false);
    }

    init = false;
}
 

private CertPathParameters getParameters(KeyStore trustStore)
{
    try
    {
        final PKIXBuilderParameters parameters = new PKIXBuilderParameters(trustStore, new X509CertSelector());
        parameters.setRevocationEnabled(_certificateRevocationCheckEnabled);
        if (_certificateRevocationCheckEnabled)
        {
            if (_certificateRevocationListUrl != null)
            {
                parameters.addCertStore(
                        CertStore.getInstance("Collection", new CollectionCertStoreParameters(getCRLs())));
            }
            final PKIXRevocationChecker revocationChecker = (PKIXRevocationChecker) CertPathBuilder
                    .getInstance(TrustManagerFactory.getDefaultAlgorithm()).getRevocationChecker();
            final Set<PKIXRevocationChecker.Option> options = new HashSet<>();
            if (_certificateRevocationCheckOfOnlyEndEntityCertificates)
            {
                options.add(PKIXRevocationChecker.Option.ONLY_END_ENTITY);
            }
            if (_certificateRevocationCheckWithPreferringCertificateRevocationList)
            {
                options.add(PKIXRevocationChecker.Option.PREFER_CRLS);
            }
            if (_certificateRevocationCheckWithNoFallback)
            {
                options.add(PKIXRevocationChecker.Option.NO_FALLBACK);
            }
            if (_certificateRevocationCheckWithIgnoringSoftFailures)
            {
                options.add(PKIXRevocationChecker.Option.SOFT_FAIL);
            }
            revocationChecker.setOptions(options);
            parameters.addCertPathChecker(revocationChecker);
        }
        return parameters;
    }
    catch (NoSuchAlgorithmException | KeyStoreException | InvalidAlgorithmParameterException e)
    {
        throw new IllegalConfigurationException("Cannot create trust manager factory parameters for truststore '" +
                getName() + "' :" + e, e);
    }
}
 

/**
 * Test a case where client-side stapling is attempted, but does not
 * occur because OCSP responders are unreachable.  Client-side OCSP
 * checking is enabled for this, with SOFT_FAIL.
 */
static void testSoftFailFallback() throws Exception {
    ClientParameters cliParams = new ClientParameters();
    ServerParameters servParams = new ServerParameters();
    serverReady = false;

    // make OCSP responders reject connections
    intOcsp.rejectConnections();
    rootOcsp.rejectConnections();

    System.out.println("=======================================");
    System.out.println("Stapling enbled in client and server,");
    System.out.println("but OCSP responders disabled.");
    System.out.println("PKIXParameters with Revocation checking");
    System.out.println("enabled and SOFT_FAIL.");
    System.out.println("=======================================");

    Security.setProperty("ocsp.enable", "true");
    cliParams.pkixParams = new PKIXBuilderParameters(trustStore,
            new X509CertSelector());
    cliParams.pkixParams.setRevocationEnabled(true);
    CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
    cliParams.revChecker =
            (PKIXRevocationChecker)cpv.getRevocationChecker();
    cliParams.revChecker.setOptions(EnumSet.of(Option.SOFT_FAIL));

    SSLSocketWithStapling sslTest = new SSLSocketWithStapling(cliParams,
            servParams);
    TestResult tr = sslTest.getResult();
    if (tr.clientExc != null) {
        throw tr.clientExc;
    } else if (tr.serverExc != null) {
        throw tr.serverExc;
    }

    System.out.println("                 PASS");
    System.out.println("=======================================\n");

    // Make OCSP responders accept connections
    intOcsp.acceptConnections();
    rootOcsp.acceptConnections();

    // Wait 5 seconds for server ready
    for (int i = 0; (i < 100 && (!intOcsp.isServerReady() || !rootOcsp.isServerReady())); i++) {
        Thread.sleep(50);
    }
    if (!intOcsp.isServerReady() || !rootOcsp.isServerReady()) {
        throw new RuntimeException("Server not ready yet");
    }
}
 

/**
 * Enable CRL only revocation check, treat network error as success
 */
public void enableCRLCheck() {
    certPathChecker.setOptions(EnumSet.of(
            PKIXRevocationChecker.Option.PREFER_CRLS,
            PKIXRevocationChecker.Option.NO_FALLBACK));
}
 

/**
 * Enable OCSP only revocation checks, treat network error as success
 */
public void enableOCSPCheck() {
    // OCSP is by default, disable fallback to CRL
    certPathChecker.setOptions(EnumSet.of(
            PKIXRevocationChecker.Option.NO_FALLBACK));
}
 

/**
 * Update the state with the specified trust anchor.
 *
 * @param anchor the most-trusted CA
 * @param buildParams builder parameters
 */
public void updateState(TrustAnchor anchor, BuilderParams buildParams)
    throws CertificateException, IOException, CertPathValidatorException
{
    trustAnchor = anchor;
    X509Certificate trustedCert = anchor.getTrustedCert();
    if (trustedCert != null) {
        updateState(trustedCert);
    } else {
        X500Principal caName = anchor.getCA();
        updateState(anchor.getCAPublicKey(), caName);
    }

    // The user specified AlgorithmChecker and RevocationChecker may not be
    // able to set the trust anchor until now.
    boolean revCheckerAdded = false;
    for (PKIXCertPathChecker checker : userCheckers) {
        if (checker instanceof AlgorithmChecker) {
            ((AlgorithmChecker)checker).trySetTrustAnchor(anchor);
        } else if (checker instanceof PKIXRevocationChecker) {
            if (revCheckerAdded) {
                throw new CertPathValidatorException(
                    "Only one PKIXRevocationChecker can be specified");
            }
            // if it's our own, initialize it
            if (checker instanceof RevocationChecker) {
                ((RevocationChecker)checker).init(anchor, buildParams);
            }
            ((PKIXRevocationChecker)checker).init(false);
            revCheckerAdded = true;
        }
    }

    // only create a RevocationChecker if revocation is enabled and
    // a PKIXRevocationChecker has not already been added
    if (buildParams.revocationEnabled() && !revCheckerAdded) {
        revChecker = new RevocationChecker(anchor, buildParams);
        revChecker.init(false);
    }

    init = false;
}
 

/**
 * Enable CRL only revocation check, treat network error as success
 */
public void enableCRLCheck() {
    certPathChecker.setOptions(EnumSet.of(
            PKIXRevocationChecker.Option.PREFER_CRLS,
            PKIXRevocationChecker.Option.NO_FALLBACK));
}
 

/**
 * Enable OCSP only revocation checks, treat network error as success
 */
public void enableOCSPCheck() {
    // OCSP is by default, disable fallback to CRL
    certPathChecker.setOptions(EnumSet.of(
            PKIXRevocationChecker.Option.NO_FALLBACK));
}
 

/**
 * Enable CRL only revocation check, treat network error as success
 */
public void enableCRLCheck() {
    certPathChecker.setOptions(EnumSet.of(
            PKIXRevocationChecker.Option.PREFER_CRLS,
            PKIXRevocationChecker.Option.NO_FALLBACK));
}
 

/**
 * Enable OCSP only revocation checks, treat network error as success
 */
public void enableOCSPCheck() {
    // OCSP is by default, disable fallback to CRL
    certPathChecker.setOptions(EnumSet.of(
            PKIXRevocationChecker.Option.NO_FALLBACK));
}